- Our article series on malware continues with a deep dive into one of the most insidious forms of malware, the rootkit.
- A rootkit is one of the most sophisticated malware attacks in existence. Once a system is infected with a rootkit, it effectively opens a backdoor through which an attacker can gain access.
- Rootkits are particularly dangerous because they compromise computers at a very deep level, giving the attacker full administrative rights to the system – and evading traditional threat detection systems.
Perhaps the best way to begin a discussion on rootkits is by deconstructing the word itself.
The first half, “root”, refers to the name of the most trusted and secure account on some computers. The second half, “kit”, refers to software (malicious or not) that can be deployed to secure areas of a computer.
Put together, a rootkit can spell real trouble for any computer – and even more so for business users. Why? Because rootkits are designed to gain access to the most secure, most trusted area of a computer system. The upshot is that the computer itself sees the rootkit as entirely trustworthy, meaning traditional countermeasures can quickly fail.
If that sounds worrying, don’t panic, because rootkit malware attacks can be dealt with – and we can show you how.
So, without further ado, let’s get to the root of the problem.
What is a rootkit?
A rootkit is a form of cyberattack which aims to infect the area of a computer with the highest possible privileges in order to give the attacker maximum control.
Once infected at a low level, an attacker will essentially have complete administrative control of the computer, meaning they can access files, compromise data, send or intercept emails, steal passwords, and more.
It’s worth noting that not all rootkits are malicious in nature. Some might be used for low-level computer access, such as if you wanted to create a virtual optical drive – but rootkits remain a common weapon in the cyberattacker’s arsenal.
There are actually a few different types of rootkit which can infect a system at different levels, but here are the types that are most common today:
- Kernel mode rootkits are the most dangerous, as they infect the areas of the operating system with the highest administrative privileges. Because of these privileges, kernel-based rootkits are difficult to detect and can even hide themselves entirely.
- User mode rootkits are able to infect more secure areas of a computer, but they must do so via another application. This type of rootkit may rely on unpatched software or other exploits to make its way into target machines.
- Bootloader rootkits are unique in the sense that they actually infect what’s known as the “Master Boot Record” of a computer. This is a very deep-level attack which means the rootkit is loaded even before the operating system when you start the machine up.
Interestingly, despite having almost limitless access to the computer, modern rootkits are more commonly used as a deployment method for other forms of malware, like spyware or ransomware. The elevated privileges of the rootkit are simply used as kind of cloaking device to make changes to the computer’s security measures, meaning the rootkit can sit undetected and continuously launch different attacks at will.
How to detect and deal with a potential rootkit attack
As we’ve seen, rootkits are an incredibly evasive and insidious form of computer malware. They can be incredibly damaging – especially for small businesses – and yet may seem almost impossible to detect.
The biggest roadblock against detection of rootkits is the fact that the computer’s own countermeasures can no longer be trusted if a rootkit infection is suspected. Because rootkits can cloak their presence, a clear virus scan doesn’t really mean much.
So how do you go about detecting a rootkit infection? Here are a few key pointers:
- Check the computer’s files without loading the operating system. By removing the drive which is suspected of infection and checking its files from another computer and operating system, it’s possible to locate a rootkit when it’s not actively running.
- Review internet logs for unusual traffic. Sometimes, the only sign of a rootkit’s presence will be the changes it’s surreptitiously making to the computer. Most rootkits will be doing some sort of data transmission, and this can be seen by reviewing the network usage of the machine.
- Check the computer’s activity when idle. Rootkits are always operating quietly in the background, so if you’re not actively using a machine but its still showing activity in the Task Manager, a rootkit may be at work. (Just remember that some may actually be able to cloak even this activity).
Now, we know what you’re thinking: Where do I even begin? The measures we’ve listed above might be useful, but they can be highly technical and time-consuming, so it’s just not realistic for most business users. Luckily, the Get Support team is here to help.
To help our clients tackle rootkit-based threats, we strongly recommend the use of an Endpoint Detection and Response system like SentinelOne.
EDR platforms don’t rely on the local security policies of a single machine, meaning they’re unaffected by rootkits. Likewise, an EDR platform will be able to track and monitor any behaviour which may resemble rootkit activity; for example, a particular application or executable file trying to make changes to deep-level files or folders.
In terms of prevention, it’s also a good idea to familiarise yourself with the basics of cybersecurity and security hardening so that you’ve got the basics covered.
Prevent cyberthreats before they happen with Get Support
It’s clear that rootkit malware is some of the most stubborn, evasive, and difficult to remediate forms of cyberattack – but it’s not impossible.
If you want to avoid the enormous cost in both time and money that a rootkit attack could cause, the Get Support team is here to help. Get in touch today to ask about SentinelOne, our recommended EDR platform.
In the meantime, you can learn more about malware protection for your business from our other malware articles:
When you’re ready to talk about cybersecurity protection for your business, you can reach us anytime on 01865 59 4000, or just fill out the form below and we’ll do the rest.